[Bug 69] Generalize SSH_ASKPASS
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 30 04:40:29 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=69
Jim Knoble <jmknoble at pobox.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jmknoble at pobox.com
--- Comment #10 from Jim Knoble <jmknoble at pobox.com> 2008-08-30 04:40:20 ---
Date: Thu, 28 Aug 2008 15:08:18 -0400
From: Jim Knoble <jmknoble at pobox.com>
To: openssh-unix-dev at mindrot.org
Subject: Re: SSH Command Line Password Support
Message-ID: <20080828190818.GB13711 at crawfish.ais.com>
Mail-Followup-To: openssh-unix-dev at mindrot.org
References: <876324.11513.qm at web30706.mail.mud.yahoo.com>
<867ia2963m.fsf at ds4.des.no>
<alpine.BSO.1.10.0808271359360.14747 at fuyu.mindrot.org>
<slrngbahdp.c3c.janfrode at lc4eb5760521341.ibm.com>
<87y72itrl7.fsf at squeak.fifthhorseman.net>
<20080827185507.GD233 at greenie.muc.de>
<87iqtmkusk.fsf at squeak.fifthhorseman.net>
<alpine.BSO.1.10.0808280155290.3864 at fuyu.mindrot.org>
<20080828083820.GC2874 at apb-laptoy.apb.alt.za>
In-Reply-To: <20080828083820.GC2874 at apb-laptoy.apb.alt.za>
Circa 2008-08-28 04:38 dixit Alan Barrett:
: On Thu, 28 Aug 2008, Damien Miller wrote:
: > [old SSH_ASKPASS proposals:]
: > > http://marc.info/?l=openssh-unix-dev&m=116921620227593&w=2
: > > https://bugzilla.mindrot.org/show_bug.cgi?id=69
: >
: > I think we should do something like this, but I remember having
some
: > issues with the user-interface.
:
: I don't like having new environment variables like
: WHEN_TO_USE_SSH_ASKPASS="always" or ALWAYS_USE_SSH_ASKPASS="yes" or
: any other variations on this theme. I'd prefer to see ssh simply use
: SSH_ASKPASS all the time regardless of whether or not there's a
DISPLAY
: or a tty. If the user wants conditional behaviour, they can set
: SSH_ASKPASS to point to a script that does whatever tests they like
when
: it is invoked, or they can use a script to conditionally set
SSH_ASKPASS
: to different values before they invoke ssh.
:
: Alternatively, you could put all the complex policy like "use
: SSH_ASKPASS if foo and not bar" into the configuration file, and let
: SSH_ASKPASS continue to be the only environment variable related to
: this issue. The main thing is that I want no more than one
environment
: variable for this.
Disclaimer: I'm the creator of x11-ssh-askpass
<http://www.jmknoble.net/software/x11-ssh-askpass/>.
I believe the best way to handle this is with an ssh_config file option
(which can then also be used on the command line). ssh-add(1) and
ssh-agent(1) also use SSH_ASKPASS and should use a command-line option,
since they don't read ssh_config files.
This allows for the greatest combination of flexibility and backward
compatibility. For example:
ssh -oUseSshAskpass=auto
ssh -oUseSshAskpass=yes
ssh -oUseSshAskpass=no
"auto": the current method, and the default.
"yes": ignore the presence or absence of a controlling terminal
and a DISPLAY variable, and just use SSH_ASKPASS if it's set.
"no": ignore SSH_ASKPASS; always prompt the terminal for a
passphrase or confirmation (if no terminal, fail?).
"ssh-agent" => UseSshAskpass=auto
"ssh-agent -p" => UseSshAskpass=yes
"ssh-agent -P" => UseSshAskpass=no
"ssh-add" => UseSshAskpass=auto
"ssh-add -p" => UseSshAskpass=yes
"ssh-add -P" => UseSshAskpass=no
Folks who expect the current way of doing things don't have to change
anything. Folks who want something different can use the command-line
or ssh_config options. Folks who want something fancy can use
"UseSshAskpass=yes", create wrapper scripts for ssh-add(1) and
ssh-agent(1), and set SSH_ASKPASS to a script which determines what to
do, as Alan Barrett suggests.
Comments?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list